Agreement between the European Union and the United States on the transfer of financial messaging data

This decision provides for the conclusion of an agreement between the European Union (EU) and the United States of America, whereby the first makes available financial messaging data to the Treasury Department of the latter, with a view to preventing and combating terrorism and terrorist financing.

ACT

Council Decision 2010/412/EU of 13 July 2010 on the conclusion of the Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data from the European Union to the United States for the purposes of the Terrorist Finance Tracking Program.

SUMMARY

For the purpose of preventing, investigating, detecting or prosecuting terrorism or terrorist financing, this agreement between the European Union (EU) and the United States of America (U.S.) provides for the transfer of:

financial payment messages that refer to financial transfers and related data, which are stored in the EU by international financial payment messaging service providers (designated providers), to the U.S. Treasury Department;

relevant information acquired from the U.S. Treasury Department’s Terrorist Finance Tracking Program (TFTP) to EU countries’ law enforcement, public security or counter terrorism authorities, or to Europol or Eurojust.

To obtain the necessary data stored in the EU, the U.S. Treasury Department makes a request, and sends any supplemental documents, to a designated provider on U.S. territory. At the same time, it provides a copy of these documents to Europol, which verifies the compliance of the request with the requirements of the agreement and notifies the designated provider accordingly. Once the compliance of the request is confirmed, it will have binding legal effect and the designated provider is required to transfer the requested data to the U.S. Treasury Department.

The U.S. Treasury Department must ensure that certain safeguards, particularly in relation to the protection of personal data, are applied when the provided data is processed. The data may only be processed for the purpose of preventing, investigating, detecting or prosecuting terrorism or terrorist financing. It must be secured from unauthorised access, disclosure and loss, as well as from any unauthorised form of processing. A search of the provided data may only be initiated where there is pre-existing information or evidence indicating that the subject of the search might be connected to terrorism or its financing. All searches and the reasons thereof must be recorded.

The U.S. Treasury Department must delete non-extracted data:

no longer necessary for the fight against terrorism, based on (at least) an annual evaluation;

transmitted without having been requested;

by 20 July 2012 at the latest, if it was received before 20 July 2007;

no later than five years after receipt, if it was received after 20 July 2007.

Extracted data may be retained for only as long as is necessary to fulfil the purpose for which it was requested. The agreement also defines safeguards to limit the onward transfers of extracted data.

The U.S. Treasury Department must make information obtained through the TFTP that may contribute to the EU’s actions against terrorism available to the relevant authorities of the EU countries concerned and, as appropriate, to Europol and Eurojust. If any follow-on information is deemed as necessary to the U.S.’s fight against terrorism, it must be similarly conveyed back. To facilitate these exchanges of information, a Europol liaison officer may be delegated to the U.S. Treasury Department.

During the term of the agreement, the Commission will examine the options available for establishing an EU system equivalent to the U.S. TFTP. Once the European system is established, there will be the need to review and possibly modify this agreement and ensure the complementariness of the two systems.

Independent overseers will monitor compliance with the limitations and safeguards of the agreement. They have the authority to review, query and block searches of provided data, as well as to request for additional justifications on the connection to terrorism. One of these overseers will be appointed by the Commission.

Via the national data protection authority, a person has the right to request confirmation that his/her personal data has been processed in compliance with data protection rights. Disclosure of this information may be refused or restricted if necessary for the fight against terrorism or the protection of public or national security. In such cases, a written explanation will be given to the person, together with information on the possibility to seek administrative and judicial redress in the U.S. A person also has the right to request the rectification, erasure or blocking of inaccurate or wrongly processed personal data. To maintain the accuracy of information received or transmitted under this agreement, the data may be supplemented, deleted or corrected by each party. The U.S. Treasury Department provides information on the TFTP on a public website, including on the right of redress.

This agreement enters into force on 1 August 2010 and will remain in force for a period of five years. Afterwards, it will be automatically extended for subsequent periods of one year, unless one of the parties notifies of its intention not to extend it.